By special arrangement, the authors of a new book titled “Full Disclosure: The Perils and Promise of Transparency” have allowed Compliance Week to reprint an excerpt on what makes transparency policies sustainable.

In today’s world of daily and instantaneously communicated risks, crises and scandals related to ethics and compliance—or what we call “E&C” risks—it is no longer simply desirable for companies to have an E&C risk-management program: It is a business necessity. Indeed, it is increasingly crucial to have an E&C risk-management system that is integrated with a company’s enterprise risk-management system.

The institutionalization of the compliance function has caused many companies to assemble committees to coordinate and oversee such efforts. But these compliance committees can have vastly different compositions and functions, tackling everything from investigation of whistleblower complaints to oversight of compliance with the U.S. Sentencing Commission's organizational sentencing guidelines.

I heard TJX Cos. was compliant with the PCI standards for data privacy and hackers still swiped 45.7 million customer records. Is that true? Does PCI compliance protect me against a breach? If it doesn’t, what should I be doing?

Viruses. Worms. Trojans. Denial-of-service attacks. IT security professionals have long wrestled with these and many other external threats, and a bustling industry has sprung up to fend off the pests.

Until now, the data security provisions of the Health Insurance Portability and Accountability Act received scant attention from regulators, particularly compared to enforcement activity for other federal information security mandates like the Sarbanes-Oxley Act or the Gramm-Leach-Bliley Act.

OK, compliance and ethics directors: what would you do if your e-mail monitoring system uncovered a romantic relationship between two employees?Or what would you do if you discovered an employee was using his office computer to post corporate information—though completely banal—on his personal blog?

The need for a fancy identity-management system to control access to IT systems depends on how big and complex you are and how much pain your company can take. Linda DiPaola, with less than 500 employees to track, does just fine without system at all.

Nearly two years after a German court ruled that Wal-Mart’s proposed whistleblower process violated German law, creating headaches for U.S. multinationals trying to implement whistleblower systems to comply with Sarbanes-Oxley, Germany has finally published its own set of guidelines for companies to impose such systems without violating local laws.

Nearly two years after a German court ruled that Wal-Mart’s proposed whistleblower process violated German law, creating headaches for U.S. multinationals trying to implement whistleblower systems to comply with Sarbanes-Oxley, Germany has finally published its own set of guidelines for companies to impose such systems without violating local laws.

As technology proliferates, the amount of personal information collected, used, stored, transferred, and disposed by organizations increases. In turn, the risk that data will be breached at some point along the information lifecycle increases. Over the past few years, several laws and regulations have been enacted to encourage organizations to address these risks.

There is no “typical” data breach and, unfortunately, no simple set of steps to secure an organization’s critical information, according to a study of 345 U.S. data breaches reported in the year ended April 1.

Last month, retailer TJX Cos. joined the long list of businesses tarred and embarrassed by losing sensitive customer information. One mildly consoling thought for compliance executives: loss of customer data doesn’t really harm the integrity of financial statements, so a breach doesn’t necessarily plunge you into Sarbanes-Oxley difficulties.

This month, Compliance Week and the Open Compliance and Ethics Group present the third installment of our regular series, "GRC Illustrated." In this month's entry, GRC Illustrated demonstrates how technology can be leveraged to build a GRC system efficiently and take full advantage of it.

Letters exchanged between the Securities and Exchange Commission and an important study group in the European Union are offering new hints to companies trying to bridge a trans-Atlantic regulatory spat over whistleblower hotlines.

It’s the disappointing truth about much of Corporate America’s IT efforts: Despite years of overhauls, tweaks, and projects, many companies still remain unprepared for lawsuits, audits, or regulatory probes because they lack the IT infrastructure to manage their data effectively and apply it to compliance efforts. So say two recent studies trying to gauge the general unpreparedness of corporate IT departments.

Last week’s dramatic shift in power in Washington—with Democrats regaining both chambers of Congress—could change the tone with respect to corporate-governance issues and has renewed hopes that Congress might relax aspects of Sarbanes-Oxley.

Compliance with data-privacy rules is vexing enough for companies in the United States, with a myriad of rules and jurisdictions, imprecise definitions, and nightmarish bad publicity when things go awry. The novice might guess that compliance in the European Union is even more difficult, with Europe’s added layers of bureaucracy and different cultural norms. Unfortunately, the novice would be right.